WorkOS Docs Homepage
Integrations
DashboardSign In

SimpleSAMLphp

Learn how to configure a SimpleSAMLphp connection.

Each SSO Identity Provider requires specific information to create and configure a new Connection. Often, the information required to create a Connection will differ by Identity Provider.

To create a SimpleSAMLphp SAML Connection, you’ll need the Identity Provider Metadata URL that is available from the organization’s SimpleSAMLphp instance.

WorkOS provides the ACS URL, the SP Metadata Link and the SP Entity ID. They are readily available in your Connection Settings in the WorkOS Dashboard.

A screenshot showing where to find the ACS URL, SP Metadata and SP Entity ID in the WorkOS dashboard.

The ACS URL is the location an Identity Provider redirects its authentication response to. The SP Metadata link contains a metadata file that the organization can use to set up the SAML integration. The SP Entity ID is a URI used to identify the issuer of a SAML request, response, or assertion.

In order to integrate, you’ll need the IdP Metadata URL.

Normally, this will come from the organization’s IT Management team when they set up your application’s SAML configuration in their SimpleSAMLphp instance. But, should that not be the case during your setup, here’s how to obtain it.

Follow the SimpleSAMLphp documentation to set up SimpleSAMLphp as an Identity Provider and add a new SP.

Copy and paste the ACS URL and SP Entity ID into the corresponding fields for Service Provider configuration. You can find more on how to structure this under “Adding SPs to the IdP” in the SimpleSAMLphp documentation linked above.

The necessary SP metadata can also be found in the SP metadata URL provided in the WorkOS Dashboard.

You will need to send the following 4 required attributes in the SAML Response: firstName, lastName, email, and id.

Ensure the following attribute mapping is set:

  • A user’s first name → firstName
  • A user’s last name → lastName
  • A user’s email address → email
  • A unique identifier representing a user → id

Users can automatically be assigned roles within your application by sending their group memberships. To enable this, set up a group attribute statement following the guidance below.

This feature is currently in beta, contact customer support for more information.

To return this information in the attribute statement, map the groups in your identity provider to a SAML attribute named groups.

Obtain the IdP Metadata URL. As noted in the “Adding this IdP to other SPs” section of the SimpleSAMLphp documentation, the IdP metadata URL should be available from /saml2/idp/metadata.php.

A screenshot showing where to edit the IdP metadata URL in the WorkOS dashboard.

Alternatively, you can manually configure the connection by providing the IdP URI (Entity ID), IdP SSO URL and X.509 Certificate.

A screenshot showing how to switch to manual IdP metadata configuration in the WorkOS dashboard.
A screenshot showing how to manually configure the IdP metadata in the WorkOS dashboard.

Your Connection will then be Active and good to go!